Page
1
Exploring Enterprise Systems and Management Control in the Information Society: Developing a Conceptual Framework Presented at the 6th International Research Symposium on Accounting Information Systems, December 10-11 2005, Las Vegas, USA Pall Rikhardsson, PhD Associate professor The Aarhus School of Business
[email protected] Carsten Rohde, PhD Associate professor Copenhagen Business School
[email protected] Anders Rom, MSc PhD student Copenhagen Business School
[email protected] Abstract Society is evolving from the industrial society towards the information society where information technology plays a crucial role. Few IT innovations have had as much impact on business organizations in the past years as Enterprise Systems (ES). These systems affect most functions in the organization as they support and standardize business processes, integrate data, can integrate external business partners into business processes and influence management activities such as planning and control. The main objective of this paper is to add to the limited body of knowledge of the relationship between ES and management control. We describe the changes taking place in companies operating in the information society, describe and define management control and review existing research on the relationship between management control and enterprise systems. We criticize existing management control frameworks for not recognizing the significance of information, communication and risk control in today’s operating environment. Finally, we propose a framework for viewing management control in the information society.
1
Introduction
As argued in later sections, relatively few studies have looked at the relationship between Enterprise Systems (ES) and management control (Granlund and Mouritsen, 2003; Sutton, 2005). The literature reviewed in section 3.3, however, seems to indicate that ES influence management control systems, activities and practice. This paper is a part of a larger research effort being carried out by the Aarhus School of Business and the Copenhagen Business School in Denmark. The main objective of the research project is to add to the limited body of knowledge of the relationship between ES and management control. The main research question of this project as a whole is: How are enterprise systems designed and used for the support of management control? In order to answer this research question the concepts of enterprise systems and management control need to be defined. It is the purpose of this paper to develop a conceptual framework for describing the relationship between ES and management control. As such it reports on the results of the literature review and theoretical framework development of the project. Later papers will report the empirical results. In the following, apart from defining the concepts applied in the project, we aim to show that existing management control frameworks are not well suited at describing the relationship between ES and management control of contemporary organizations. We argue that there are two reasons for this, which will be expanded upon in later sections:
Page
2
1. Existing management control frameworks are often based on the workings of the industrial age enterprise (Hartmann and Vaassen, 2003). Today, information technology developments are driving the industrial society towards what has been called the information society. This implies changes in management control practices, structures and concepts (analogous to the development of management accounting triggered by among others Johnson and Kaplan (1989)). This is mainly due to the increasing importance of information and communication as control variables. This is often not adequately reflected in existing conceptual frameworks. 2. Existing conceptual frameworks do not adequately reflect current trends within management control practice, which to an increasing extent focuses on enterprise risk management (ERM), compliance with management control guidelines such as COSO (Committee of Sponsoring Organizations) and COBIT (Control Objectives for Information and related Technology) as well as legislation affecting management control such as the Sarbanes-Oxley Act. As such this control perspective is not reflected much in existing management control frameworks. At its core ERM is about control, identifying events and acts that could threaten achievement of organizational objectives and then implementing measures to minimize the risk of this taking place or manage the effects if it does. It could be argued that management control among other things is about minimizing the risk that organizational strategy is not implemented, organizational objectives are not achieved and that what should be done if this happens. Furthermore, information and communication are increasingly becoming the basis for business value creation as well as having economic value in themselves. This in turn increases the importance of controlling information quality, reliability of communication processes as well as controlling access and use of information as it becomes an economic asset. The main research question of this paper is: How can the relationship between ES and management control be conceptually depicted in a framework that incorporates the changes brought about by the information society as well as current trends in management control practice? In the next section we analyze the changing context of management control. In section 3 we first look into ESs as a technological innovation in organizations. Then we analyze existing frameworks of management control against the changed context. We close the section by reviewing research into the relationship between management control and enterprise systems. In section 4 we develop a conceptual framework on the basis of the analyses of the previous sections. Finally, we will conclude and identify a number of avenues for further research in relation to the conceptual framework of management control. 2
The Changing Context of Management Control
Today’s society is far different from the society of yesterday. As argued by Toffler (1990) and Gibson (1998) society has moved from an agrarian society to the industrial society and has now changed into the information society. This change means for example new products, new types of business, new sources of value, changes in production methods and changes in communication patterns (Toffler, 1990; Sjöblom, 2003; Kogut, 2003), which all fundamentally affect the way companies do business. What characterizes the information society more than anything else is the economic value given to information (Kogut, 2003) and consequently the importance of communication. Information has become a commodity that is produced and sold, the information content of products and services increases and reliable and relevant information becomes more and more important for decision making in fast changing business environments. Hartmann and Vaassen (2003) argue that companies can be classified into whether they are industrial age companies (or traditional companies) or information society age companies (or new companies). Classification of a company is done on the basis of variables such as the primary activity of the company, industry structures, competitive situation, geographical location and technological choices (Hartmann and Vaassen, 2003; Andon et al., 2003).
Page
3
However, traditional companies are also dependent on the generation and use of information even though this might not be a critical component of their market offerings. Consequently, they are also affected by the changes taking place in the marketplace and in competitive environments such as speed of changes, shorter reaction times, new competitors and alternative products (Deise et al., 2000). Furthermore, companies – traditional as well as and new – never operate in total isolation but enter into a network of relations with different stakeholders creating a web of information flows (Anderson and Sedatole, 2003). As the importance of information grows in these stakeholder relations (e.g. coordination of activities across organizational and geographical boundaries) the sharing of information becomes vital. Traditional as well as new companies will need to act and react on this demand to survive. Table 1 below is a reproduction of the characteristics of traditional and new organizations identified by Hartmann and Vaassen (2003, p. 116). The classification in table 1 should not be seen as an either-or classification but as a continuum of change where organizations exhibit the characteristics of the new organization in varying degrees (Andon et al., 2003; Sjöblom, 2003). Table 1. Characteristics of traditional and ‘new’ organizations (Hartmann and Vaassen, 2003, p. 116) Characteristic Production routine Technology imperative Information systems
Traditional organization Mass production Technological determinism Legacy information systems
Task demarcation Task complexity Core labor force
Well-defined tasks Simple tasks Core of production workers
Thightness of labour relations Degree of specialization Decision-making
Life-time employment Integration Centralized
Managerial challenge Dominant control mode Perfect control
Control Cybernetic Achieving ex ante plans
New organization Mass customization Technological discretion Multi-purpose information systems Ambiguous tasks Complex tasks Core of knowledge workers, and periphery of part-time and temporary workers Employability Outsourcing Decentralized, workers being empowered Flexibility Interactive Realizing ex post potential
The development and utilization of information technology plays a central role in the information society and it is indeed difficult to imagine an information society without technologies to record, process and report information. The characteristics in column 3 of table 1 imply the importance of issues such as information content of products and processes, integration of business processes, coordination of tasks and production of accurate decisionrelevant information faster than the competitors. That is to say, companies exhibiting the characteristics on the right hand of table 1 would be more dependent on information technology as an inherent part of or even the basis for doing business. Information technology is of course also important to the companies exhibiting the characteristics in column 2 of table 1. However, these companies might be expected to base their value proposition on other activities than their ability to process and utilize information. An important type of information systems that has appeared within the last decade is enterprise systems. Research has shown that Enterprise systems have the potential to change the companies adopting these systems (Rikhardsson and Kræmmergaard, 2005; Rom and Rohde, forthcoming). These changes potentially include management control. The next section will look into ESs, existing management control frameworks and their interrelationship. 3
Enterprise Systems and Management Control in the information society
In this section we will take a look at ESs and their characteristics. The past couple of decades have brought about many changes to information technology, which in turn has had an impact
Page
4
on the relationship between information technology and management control. Whether we are experiencing a misfit between existing management control frameworks and contemporary organizations will be explored. Finally, the relationship between management control and ESs is subject to investigation. 3.1
Enterprise Systems
It could be argued that few IT innovations have had as much impact on business organizations in the past years as enterprise resource planning (ERP) systems. ERP systems are modular systems based on a client/server technology, which offer comprehensive functionalities that support and integrate most business processes such as accounting, sales, purchasing and production. Apart from internal integration these systems offer the possibility of integration with external business partners as well such as customers and suppliers in a supply chain (Klaus et al., 2000). Data are stored in a single database, which eliminates redundancy and the need to update data in several different subsystems (Davenport, 1998; Davenport et al., 2004). Today, virtually every major business has implemented one or more ERP systems. It is estimated that organizations worldwide spend around US$18.3 billion every year on ERP systems (Shanks et al., 2003). A recent study in Denmark revealed that more that 75% of the 500 largest enterprises had implemented one or more ERP system, indicating that ERP systems are to be considered a persistent part of organizations. Therefore, the management and organization of ERP technology and the innovative use of ERP systems are to be considered in almost any business context (Møller et al., 2003). While the focus of ERP systems is mainly on the operational and tactical level, Fahy (2000) argues that they lack comprehensive reporting and analysis functionalities at the strategic level. Rom and Rohde (forthcoming) even argue that ERP systems are in effect giant “calculation machines” and are mainly developed to process transaction information. As such these systems have in the past been somewhat less successful in processing and reporting this information in supporting the various decision making processes in the organization (Booth et al., 2000; Granlund and Malmi, 2002). However, this is changing with the advent of what are here called business analytics and reporting (BAR) systems which include various analytical applications such as balanced scorecard, budgeting, consolidation etc. The BAR systems are linked (often through a data warehouse) to the transaction processing “engines” of the ERP system (Brignall and Ballantine, 2004). It should be noted that our definition is similar to Brignall and Ballantine’s (2004) who talk of Strategic Enterprise Management (SEM) systems. However, to avoid confusion with SAP’s product suite with the same name (SAP, 2004) we prefer the term business analytics and reporting systems or BAR systems. Today, transaction-oriented ERP systems are combined with information extraction and reporting technologies (BAR systems) either from an ERP vendor or from an ERP vendor combined with software from a third party vendor. The term “enterprise system” (ES) will hereafter be used to refer to this combination. It does not include, for example, spreadsheets as these are not standard systems and not an integrated part of the system. However, applications like Cognos and Hyperion (Clark, 1997; Classe, 1998; Dragoon, 2003) are included, if they conform to the demands of being a standard system and integrated with an ERP system. Stand-alone BAR systems not connected to an ERP system are not referred to as part of the ES though. The development of ESs in organizations is often described in terms of waves (Shanks et al., 2003). The first wave includes the acquisition, configuration and implementation of ERP systems along with changes inflicted on the organization after going live with the system for the first time. Second wave projects are spurred by some of the questions managers are asking after having gone through first wave projects (Kræmmergaard and Koch, 2002). These include: How can we gain greater benefits from our ERP investments? How can we manage and enhance our ERP system to continuously align the system with the strategy and structures of the organization? How will the ERP system impact the business and create new ways of working? How will ERP systems impact management practices in the short and long run? This means that implementation issues are no longer of primary concern but the focus has shifted to the utilization and development of the ERP system as well as the business value
Page
5
enhancement of these systems. Adding BAR systems or functionality for developing an ES are examples of second wave projects (Rikhardsson and Kræmmergaard, 2005). We have a relatively good understanding of the first wave of ESs (Esteves and Pastor, 2001; Dong et al., 2002; Al-Mashari, 2003). Only recently we have seen research aimed at the second wave of ESs – i.e. beyond the cost-intensive implementation phase. However, this research has a clear message: These systems have the ability to transform a business (Rom and Rohde, forthcoming), but only if the organization is able to integrate the activities – not only internally, but also across the supply chain as well as leverage the information in company decision making (Markus et al., 2003; Ross et al., 2003; Davenport et al., 2004). One of the processes affected is management control. Below we investigate the concept of management control and the fit between existing management control frameworks and the contemporary information society where ESs are a persistent part of business. 3.2
Management control in the information society
Control has been defined in several different ways. Some sources have even identified over 50 different meanings of the term “control” (Rathe, 1960). The accounting and organizational literature uses terms such as management control, organizational control, internal controls, strategic control, operational control and financial controls, which all seem to revolve around the same concept. The literature study reported below shows that there are new issues appearing in the management control debate, which can be linked to the transformation to the information society. Academic understanding of management control mainly falls within two categories: 1. Control as a cybernetic management system including environmental impulses, organizational responses and achievement of organizational objectives (e.g. Otley and Berry, 1980; Flamholtz et al., 1985) 2. Control as a management system focused on implementing strategy in an environment where strategy needs to be revised on an ongoing basis (e.g. Simons, 1995; Kaplan and Norton, 1996) Recently, a third category seems to be emerging: 3. Control as a management system aimed at assessing, minimizing and controlling business risk associated with company business processes, business transactions, information technology applications and information dissemination to internal and external decision makers (e.g. COBIT, 2004; COSO, 2004) These will be analysed in light of the information society below. Management control as a cybernetic system Literature on management control as a cybernetic system delivers a number of definitions of management control. Some of these definitions are presented in the table below. Table 2. Definitions of management control as a cybernetic system Author(s) Lowe (1971, p. 5)
Otley and Berry (1980, p. 235) Flamholtz et al.
Definition of management control “…a system of organizational information seeking and gathering, accountability, and feedback designed to ensure that the enterprise adapts to changes in the substantive environment and that the work behavior of its employees is measured by reference to a set of operational sub-goals (which conform with overall objectives) so that the discrepancy between the two can be reconciled and corrected for.” “…the process of ensuring that the organization is adapted to its environment and is pursuing courses of action that enable it to achieve its purposes.” “…attempts by the organisation to increase the probability that
Page
(1985, p. 35) Emmanuel et al. (1995, p 11)
6
individuals will behave in ways that will lead to the attainment of organizational objectives.” “…processes by which organizations govern their activities so that they continue to achieve the objectives they set for themselves.”
There are some common elements in the definitions in table 2. Based on these, management control is about: − − − −
Achieving organizational objectives Adapting to the environment Information collection, processing and reporting Influencing the behavior of organizational members
Describing the characteristics of a management control system, Anthony and Govindarajan (2003, p. 4) identify a number of elements that are present in control systems. The authors draw analogies to systems such as automobiles, thermostats and the human body – i.e. cybernetic systems. These elements are: 1. A detector or sensor which measures what is happening in the situation that is being controlled. 2. An assessor which is a device that assesses the significance of what is happening. This is usually done by comparing the information on what is happening to some expectation of what should be happening. 3. An effector which is a device that alters behavior if the assessor indicates that this is needed. 4. A communication network which transmits information between the detector, the sensor and the effector. This looks at management control as a simple cybernetic system much like a thermostat where there is a single feedback loop. Fundamentally, implementing and running a management control system means ensuring that the organization does the right things in the right way both regarding internal operations and the fit to the external operating environment (Lowe, 1971). Frameworks like the one proposed by Flamholtz et al. (1985) focus on this from the perspective of controlling work behavior and outcomes so that the organization reaches its goals. A cybernetic view of management control has a number of shortcomings when compared to an information society with new organizations. Characteristics of these new organizations were presented in table 1 above. The new organizations have ambiguous and complex tasks. This implies that both the processes and goals of tasks and of organizations in total cannot be specified a priori. A cybernetic management control system does not match this situation. A misfit exists between a cybernetic view of management control and new organizations in an information society. Management control for implementing strategy Recent writings on management control take a broader view of management control (Anthony and Govindarajan, 2003; Chapman (ed.), 2005; Simons, 2005). These recognize that there are not always preset quantifiable standards to which to measure performance against but management control still takes place through supervision, codes of conduct, guidelines etc. (Merchant and Van der Stede, 2003). Controls are also designed to prevent deviations instead of only reacting or discovering to control problems, which is the view inherent in much of earlier writings on management control. Anthony and Govindarajan (2003, p. 6) point out some of the characteristics of management control that actually make it more complex than a simple cybernetic system: 1. The standard to which performance is compared is not preset but a result of a planning process which is an integrated part of the management controlling process. 2. Management control is not automatic but requires action, communication, integration on behalf of the manager in some way.
Page
7
3. Management control requires coordination among individuals. 4. The connection between the observed need for action and the behavior that is required to obtain the desired action is not clear-cut as it involves judgment, is based on management values, culture etc. 5. Much control in organizations is self-control. People act in a certain way, not because their managers tell them to, but because their own judgment tells them what behavior is appropriate. Thus, management control is not about goals achievement in isolation but also about implementing corporate and business unit strategy. When management control is about implementing strategy then it is defined as done in the table below. Table 3. Definitions of management control for implementing strategy Author(s) Simons (1995, p. 5) Anthony and Govindarajan (2003, p. 10)
Definition of management control “…the formal, information based routines and procedures managers use to maintain or alter patterns in organizational activities.” “…the process by which managers influence other members of the organization to implement the organization’s strategies.”
As pointed out by Simons (1995) this entails controlling two dimensions of human behavior that at first glance seem incompatible. One is the creative innovation process which should ensure that the company renews itself and its offerings to the market. The other is ensuring that organizational actors fulfill the goals set out by management as well as management fulfilling the goals set out by owners and external stakeholders. Simons calls this “organizational tensions” i.e. where managers use control systems to balance these “tensions” (Simons, 2000, p. 7). Looking at what activities actually comprise a management control system, current research indicates that control activities can be categorized in one of two ways. Chenhall (2003) has for example classified the findings of numerous authors into whether management control activities are mechanistic (i.e. relying on formal rules, standardized operating procedures and routines) or organic (i.e. flexible, responsive, based on few rules and standards). Although not wrong in it self, classifying these into two broad categories seems like bit of an oversimplification, when looking at the plethora of control activities in use in organizations. Classification along other dimensions is needed as well. Some of the attributes of management control that can be added to the attribute of mechanic vs. organic management control seem to be: 1. Level of control: Is the control activity performed at the level of employees, business unit (such as a sales organization), business process (e.g. a production process or a purchasing process), organization (such as a company) or a supply chain (i.e. from resource extraction to the finished product)? 2. System integration: Is the control based on one person influencing the behavior of (an)other person(s) or is it a control that is integrated into a system or a process that influences the behavior? 3. Accounting relation: Is the control activity primarily a financial control based on accounting processes such as budgeting or cost control, or is it primarily related to controlling for example production flows or logistic flows in for example production management? 4. Decision relevance: Is the aim of the control to enhance decision making or is the aim to secure the correct and efficient conduct of business transactions? 5. Temporal placement: Is the control aimed at detecting deviations (detective controls) from plans or goals or it is aimed at preventing these deviations from happening in the first place (preventive controls)?
Page
8
Summing up on the above: Current understanding of management control would thus seem to define management control as an organizational system consisting of specific processes which are aimed at ensuring the implementation of organizational strategy, which may change over time, enabling the achievement of organizational goals as well as enabling reactions to changes in the operating environment. This is done by limiting and/or enabling the behavior of organizational members through application of various control activities which takes place in an organizational control environment. Management control system characteristics seem to be dependent on contextual variables such as size, organizational structure, technology, strategy and operating environment. Control activities in the organization can be classified along several attributes such as mechanistic vs. organic (Chenhall, 2003), level of control and temporal placement. Information and information systems are an essential part of a new organization (referring back to table 1). The management control framework by for example Simons (1995) neglects the entire domain of information. In order to make for example diagnostic controls work an information system is needed. Measures in a diagnostic control system are not worth much if information is not reliable and timely. Thus, shortcomings are also present when management control is defined as a system for implementing strategy. Management control and enterprise risk management A literature on enterprise risk management (ERM) is emerging. With the scandals of Enron and WorldCom focus is now to a large extent put on managing the risks that inevitably is a part of an organization’s life. ERM thus seems to have gained top management attention. Much is at stake as it is the responsibility of the board that for example assets are not misappropriated. The accounting information systems (AIS) literature is also to a large extent including ERM as part of management control (Gelinas et al., 2005). Two more definitions of management control are provided in the table below. This time from an ERM perspective. Table 4. Definitions of management control for enterprise risk management Author(s) COSO (1992)
Gelinas et al. (2005, p. 237)
Definition of management control “Internal control is broadly defined as a process, effected by an entity's board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: • Effectiveness and efficiency of operations. • Reliability of financial reporting. • Compliance with applicable laws and regulations.” “Internal control is […] a system of integrated elements – people, structure processes and procedures – acting in concert to provide reasonable assurance that an organization achieves its business process goals.” (Emphasis in original)
Control is according to these definitions about assuring that an organization achieves its objectives. Assurance is about making sure that the opposite is not happening. Risks exist that the organization will not achieve its objectives. Since control and risks is closely linked together within this literature it is reasonable to provide a definition of ERM (COSO, 2004, p. 2): “Enterprise risk management is a process, effected by an entity’s board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” According to the two definitions of control and ERM provided by COSO (2004) both concepts are about assuring achievement of objectives. ERM thus seems to be an enhancement to control.
Page
9
In the COSO guidelines, control is achieved through e.g. carrying out various control activities including a range of activities as diverse as approvals, authorizations, verifications, reconciliations, reviews of operating performance and segregation of duties. COSO also stresses that control is carried out in an organization in a control environment, influencing the control consciousness of organizational actors. It is the foundation for all other components of internal control, providing discipline and structure. Control environment factors include the integrity, ethical values and competence of the organizational actors; management's philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors. This is similar to what Chenhall (2003) calls control culture. Another central element in the COSO guidelines is risk assessment and management. COSO recommended that companies initiate a risk assessment process with the aim of analyzing what threats the company faces and what control activities are needed to manage these risks. The risks include for example the risk of fraud and misappropriation of assets. In the wake of recent events such as the collapses of ENRON and WorldCom, focus on business risk management has increased (CFO, 2005). Especially its links to management control on the one hand and information technology on the other have emerged as significant issues (COBIT, 2004). Furthermore, the passing of the Sarbanes-Oxley act (SOX) in the US has had some influence on the debate. The fundamental aim of SOX is to minimize the risk of fraud and significantly misrepresentative financial statements. Some of the main tools identified for this purpose in the SOX are internal controls and risk management. That is to say, companies have to explicitly focus on different types of risks (such as the risk of false information in annual reports or misappropriation of funds), the internal control structures in place to address this risk and evaluate the quality of these internal controls. This adds a dimension to the concept of management control as described above (COBIT, 2004; COSO, 2004; CFO, 2005). After the first year of SOX compliance initiatives, the focus has moved towards how ERM can be implemented and SOX (and other, similar regulation) can be complied with the most effective use of resources. In this context ESs and business process integration plays a role through the potential for automating compliance and internal control monitoring and evaluation (Rosemann and zur Muehlen, 2005). The PCAOB Auditing Standard states the importance of “the nature and characteristics of a company’s use of information technology in its information system affect the company’s internal control over financial reporting” (COBIT, 2004, p.12). The goal with changing manual control systems to automated compliance systems is to make the control environment pervasive and transform controls from detective to preventive control types (CFO, 2005). Automated controls are enabled to a large extent by the advent of ESs which support business processes across organizational, functional, geographical and spatial boundaries (CFO, 2005). Due to the cross process integrative nature of these systems they affect control issues such as control planning, control monitoring, authorizations, reconciliations, reviews, segregation of duties, risk assessments. The developments described above revolve around management control to a large extent. But compared to the traditional theoretical management control frameworks the emphasis is different, including: 1. The focus on risk and compliance: The events that make management control necessary in the first place are defined in a risk context. This can encompass external events such as faulty deliveries or natural disasters or internal events such as fraud or information falsification. 2. The importance of information and information technology: The risk management perspective inherent in COSO sees information as critical if the organization is to achieve its objectives through decision making at all levels as well as reporting quality information to external stakeholders. Thus the quality of information for external and internal decision making and the controls to secure this information quality play a significant role in the ERM framework. Information quality is not an objective concept
Page 10
but includes the characteristics of the user of the information, the context it is used in as well as the integrity, reliability, timeliness and understandability of the information. This means an explicit focus on the technologies such as ESs that are used to register process and report information in the organization. 3. The emphasis on communication: The ERM framework recognizes the importance of communication processes in management control. Both in communicating control objectives and activities to organizational members but also the communication of reliable decision relevant information to internal and external stakeholders. 4. The focus on business processes: The ERM framework looks at the business processes of the organization as the place where risk materializes, where information is generated and used and where control activities are carried out. COBIT (2004) links business processes such as manufacturing, accounting and logistic to IT in general and application controls in ERM. As ESs are based on supporting business processes the focus on business processes in management controls would be a necessary element of a management control framework seen in a risk management context. ERM cannot be considered a total management control framework in that it only to a limited extent deals with the positive side of variations. ERM is almost exclusively focused on making that negative events do not happen. ERM might be categorized as a diagnostic control system (Simons, 1995) and as such the ERM perspective on management control seems to miss the belief and interactive controls. Linking management control and the information society Linking the above to the analysis of frameworks of management control it could be argued that these frameworks do not allocate much significance to information and communication (Hartmann and Vaassen, 2003). Further, it could be argued that many traditional frameworks are firmly rooted in the cybernetic concept of control which might have been applicable to industrial society organizations (and still is) but needs to be changed to capture the effects of the information society and information technology on control. Hartmann and Vaassen (2003, p. 126) have developed a management control framework for the new organization or an organization exhibiting much of the characteristics to the right of figure 1. This framework distinguishes itself from frameworks proposed by for example Otley and Berry (1980), Flamholtz et al. (1985) and Simons (1995) in that it acknowledges the importance of information and communication in the control environment of the information society. The framework includes three basic control domains. The first is the business domain which is defined as the domain where the companies business processes take place i.e. the organizational “logistics core” or value chain (Hartmann and Vaassen, 2003, p. 126). The authors argue that traditional frameworks usually address this control domain only. The second control domain is the communication domain which communicates information to and for the business processes including internal reporting. The third domain is the information domain, which contains the technology employed to communicate information i.e. not the content of information and communication but the form in which it is registered, processed and communicated. The framework includes a causal relationship as it presupposes that good controls in the business domain require good controls in the communication and information domain (Hartmann and Vaassen, 2003, p. 127) While the framework by Hartmann and Vaassen (2003) addresses the needs of new organizations in the information society it has its limitations. First, it does not include the ERM perspective, which has become an increasingly import part of management control. Second, the limited focus on accounting information systems does not seem to be appropriate as a range of other systems support the activities of management control (see the next section on ESs and management control). Third, it focuses extensively on knowledge management which might be relevant to some companies but not necessarily to all. Fourth, although it addresses the issue, the focus on business processes and their links to accounting information systems is somewhat vague and could be expanded upon.
Page 11
Before moving on to our development of a framework of management control that addresses the needs of the new organization and includes the perspectives of ESs the relationship between management control and ESs will be explored. 3.3
Enterprise Systems and Management Control
Integrating the above discussion on ES and management control one could ask why ESs are interesting in a management controlling context? As mentioned above the transformation from the industrial society to the information society is largely due to advances in information technology and the impact this has on the way people work, trade, travel, communicate and entertain themselves. This in itself has an impact on how companies carry out production, logistics, accounting, marketing etc. as well as strategic and operative planning (Hartmann and Vaassen, 2003). Exploring and understanding the impact of these changes on organizational behavior becomes interesting in itself. In this context, Hartmann and Vaassen (2003) argue that the advent of the new organization has challenged management control practices and philosophies as these were mainly developed in industrial age companies. More specifically, ESs can be seen as a part of the advances in information technology that drive some of the social changes mentioned above. As described above, ESs imply a radical change in how information systems are used to manage data and information and their role in supporting decision making, business process coordination and interaction both inside the company as well as in managing external business relations. The implied integration of business processes, the increased information transparency and the organizational changes that often take place during an ERP implementation (Rikhardsson and Kræmmergaard, 2005) also have implications for accounting and controlling processes (Spathis and Constantinides, 2004). Thus, understanding the relationship between management control and ES is interesting as a part of a broader process focusing on the effects of information technology on organizational behavior in general but also more specifically regarding the effects on a specific information technology on planning and decision processes and management practices. In total, our search for literature that specifically addresses ES and management control seems to support the conclusions of Granlund and Mouritsen (2003) and Sutton (2005) who claim that research into these issues is relatively scarce. It is notable though that research into this aspect of ES seems to focus on two issues. One is the link between mostly ERP systems and management accounting (see e.g. Booth et al. (2000), Granlund and Malmi (2002), Hyvönen (2003), Caglio (2003) and Spathis and Constantinidis (2004)). The other is the link between overall management control and ES. Our understanding of management control is broader than just the aspects linked to the accounting department and management accounting tasks specifically which will be reflected in the discussion below. Firstly, changes in management control seem to be linked to ES but not in a unidirectional relationship. That is to say, ES is a contingent factor impacting management control practices. This impact might in some cases be significant, but there are usually other change variables at work at the same time (Scapens and Jazayeri, 2003; Rom and Rohde, 2005). Cowton and Dopson (2002) in a study of management control changes in a large UK automotive distributor found that the changes were caused by organizational changes, changes in performance measurement as well as the implementation of a new enterprise system. The changes in management control also seem to be dependent on manager’s interpretation and perception of the changes taking place. Managers seem to perceive changes in what could be called degrees of freedom regarding an ES (Cowton and Dobson, 2002; Elmes et al., 2005). That is, the new system enables certain action while limits others, which often differs from what was possible in the old system. An interpretation could be that the ES entails changes in both coercive and enabling controls (Alder and Borys, 1996). But the changes are not uniform across the entire organization meaning that different managers interpret them in different ways. This is also reflected in the study by Ahrens and Chapman (2004) which – although not focusing on ERP systems as such – showed the importance of management
Page 12
interpretation of the changes taking place and their use of the management control system in achieving flexibility and efficiency. Further focusing on changes in enabling and coercive controls, it also appears that an ES can increase employee empowerment and control at the same time. Elmes et al. (2005) have called this “panoptic empowerment” and “reflective conformity”. The first addresses the simultaneous increase in control and empowerment which occurs through increased information visibility. That is to say employees have information that can affect the way they do their jobs. At the same time managers and employees have greater visibility through the ES of each other, which increases disciplined behavior. The second effect, “reflective conformity”, is when the “regime of truth” shifts away from valuing “heroic”, single actions in the name of expediency and effectiveness to more disciplined action within the constraints of the ES. This conformity is not followed by decrease in reflection as one could expect but an increase, mainly related to problem solving in relation to the use of the ES and getting the system “wrapped around” the realities of operations. ESs also seem to affect the role of accounting in management control. The accounting function is basically an information registration, processing and reporting function in the company which also includes information used for management control. As ESs offer new possibilities in information management, integrate functions and enable decentralized reporting of accounting information, the tasks and functions of the accounting department are affected (Booth et al., 2000; Granlund and Malmi, 2002; Caglio 2003; Hyvönen, 2003; Spathis and Constantinidis (2004). Caglio (2003) notes, that accounting information retrieval, processing and reporting is no longer necessarily the sole domain of accountants. On-line data retrieval tools (e.g. the BAR systems discussed earlier) and more user-friendly user interfaces enable non-accountants to get the information they need without involving the accounting department. Caglio (2003) proposes that the traditional view of the accounting department as the centre of the organizational information system as well as the nexus of management control is challenged (Caglio, 2003, p. 124). Control becomes an activity that is integrated with commercial management rather than being functionally separated from it. This is supported by Dechow and Mouritsen (2005) who reach the conclusion that ESs enable the separation of management control from the management accounting function even if this was not the intention. Thus, control is no longer the domain of the accounting department but a collective affair where ESs define the logic through which control is performed. Dechow and Mouritsen conclude that management control is not reinvented with the implementation of ES but becomes a collective affair including human actors and “machine” actors such as the ES. ESs also change the way control activities are carried out. A survey of 180 senior finance executives in the US showed that ES enables the automation of controls such as information access, documentation of control activities, monitoring controls, information retention and reporting, compliance management and testing of segregation of duties (CFO, 2005). Apart from simplifying compliance with for example SOX this seems to increase efficiency in the management control process. The ES also makes new controls possible or changes the way that old controls have been carried out. For example, documentation of control structures or comparisons of user access and employee functions (in segregation of duties controls) can be made more effective and less costly within the ES (CFO, 2005). Apart from a shift from manually based controls to automated controls the study showed an increasing management awareness of making controls preventive instead of detective. That is, activities or events that are undesirable or counter to organizational aims should be prevented from happening instead of being detected or discovered after they have taken place. Based on the above studies some tentative conclusions can be drawn regarding current research on the relationship between ES and management control: 1. The effects of ES on management control can be expected to vary between different organizations depending on organizational and environmental characteristics. 2. ESs seem to affect the combination and distribution of enabling and coercive controls in an organization – i.e. enabling some actions while restricting others.
Page 13
3. ESs seem to affect the aim of the control framework in an organization regarding whether it should be based on preventive controls or detective controls and how the mix between these two should be. 4. ESs seem to decentralize control and decouple it from the accounting department thus changing the role and function of this department in the ES post-implementation phase. This implies that control activities are to some extent integrated into the processes built into the ES architecture as well as the various functions of the enterprise thus delegating control and making it more impersonal. 5. ESs enable the automation of some control activities reducing the need for manual tasks and involvement, making control more cost-effective and enabling new controls to be implemented. 6. The advent of ESs increases focus on the role of information in control activities as well as communication of this information. Easier access to information and new communication technologies results in the decentralization of control. 4
A Conceptual Framework for Management Control: Integrating the New and the Traditional, Strategy and Risk.
In the following we build on the framework developed by Hartmann and Vaassen (2003). However, we would like to extend and expand the framework in a number of ways. First, we would like to divide the control domains into two overall control foci. One is controlling for strategy and organizational objectives and another is controlling for risk. Controlling for strategy and organizational objectives focuses on “moving” the organization towards its objectives and according to its strategy, as well as limiting this movement to the objectives in question by managing organizational tensions (Simons, 1995, 2005). Controlling for risk on the other hand takes its point of departure in the argument above that risk is fast becoming a major focus area in today’s business where ERM frameworks adopt control mechanisms which to some extent overlap traditional management controls. By including this area in the overall framework we attempt to bridge the gap between traditional management control frameworks and the internal control frameworks described in for example COSO (2004) and COBIT (2004) as well as in textbooks on risk management (e.g. Pickford, 2000), accounting information systems (e.g. Gelinas et al., 2005) and information system audits (Weber, 2000). Second, we would like to reduce the focus on knowledge creation in the original framework and focus on the value created in the business processes themselves thus giving more importance to business processes as the main control object. Third, instead of limiting the focus of the information domain to accounting information systems, as done in the framework by Hartmann and Vaassen (2003), we would like to extend it to information systems in general. The argument is, as described above, that in today’s information systems, control is no longer the sole domain of the accounting department and limited to accounting information systems. It thus seems natural to include information systems in general in this domain including ES and AIS. Finally, the causal relationship in the model implies that to be able to create value in business processes, the actors in these processes need information about these processes as well as the environment in which the business processes are carried out in. The framework of management control is shown in the figure below. Figure 1. A management control framework of new organizations (based on Hartmann and Vaassen, 2003).
Page 14
Information domain
Communication domain
Information systems
Communication of Information
Business process domain
Controlling for strategy Business process value creation
Controlling for risk
In the framework by Hartman and Vaassen (2003) the control objectives were bound to accounting information systems, management accounting and internal control and management control respectively. In the framework shown in figure 1 the control objectives are extended as shown in table 5 below. Table 5. Control objectives in the new framework of management control Information systems
Communication
Business processes
Controlling for strategy
Ensuring the fit between company information systems, strategy and objectives
Ensuring the fit between business processes, corporate strategy and objectives
Controlling for risk
Securing the acquisition, utilization and development of company information technology
Ensuring the relevance of information for implementing strategy and achieving objectives Securing information quality, access and utilization
Control area Control focus
Securing correct conduct of business processes
5 Conclusion and avenues for research This paper has focused on the changing context of management control given the change towards the information society and the advent of ESs. The paper has focused on the limitations of existing frameworks given these changes and proposed a new framework for describing the relationship between ES and management control. Linking the new framework of management control to enterprise systems, a number of research questions can be identified. These include: − − − − −
How are ESs supporting the activities of controlling for strategy and risk respectively? Are ESs making management control more effective? How do ESs affect the distinction between mechanistic/organic controls, automatic/manual controls and preventive/detective controls in the organization? How are changes in management control through ES affecting traditional organizations and new organizations respectively? What are the implications of ES for the company control culture?
Page 15
− −
6
How are different control activities being affected through the utilization of ES regarding strategy and risk respectively? What is the new role of management accounting in companies given ESs and the decentralization of control?
References
Alder, P. and B. Borys (1996): ‘Two Types of Bureaucracy: Enabling and Coercive‘, Administrative Science Quarterly, volume 41, issue 1, pp. 61-89 Ahrens, T. and C. S. Chapman (2004): 'Accounting for flexibility and efficiency: A field study of management control systems in a restaurant chain', Contemporary Accounting Research, volume 21, issue 2, pp. 271-301 Al-Mashari, M. (2003): ‘Enterprise resource planning (ERP systems): A research agenda’, Industrial Management and Data Systems, volume 103, issue 1, pp. 22-27 Anderson, S. and Sedatole, K. (2003): ‘Management Accounting for the Extended Enterprise’, in Bhimani, A. (Ed.): ‘Management Accounting in the Digital Economy’, Oxford: Oxford University Press Andon, P., J. Baxter and W. F. Chua (2003): ‘Management Accounting Inscriptions and the Post-Industrial Experience of Organizational Control’, in Bhimani, A. (Ed.): ‘Management Accounting in the Digital Economy’, Oxford: Oxford University Press Anthony, R. and V. Govindarajan (2003): ‘Management Control Systems’, New York: MacGraw Hill Booth, P., Z. Matolcsy and B. Wieder (2000): ‘The Impact of Enterprise Resource Planning Systems on Accounting Practice – The Australian Experience’, Australian Accounting Review, volume 10, issue 2, pp. 4-18 Brignall, T. J. S. and J. Ballantine (2004): ‘Strategic Enterprise Management Systems: new directions for research’, Management Accounting Research, volume 15, issue 2, pp. 225-240 Caglio, A. (2003): ‘Enterprise Resource Planning systems and accountants: towards hybridization?’, European Accounting Review, volume 12, issue 1, pp. 123-153 CFO
Research Services (in collaboration with Virsa Systems and PricewaterhouseCoopers LLP) (2005): ‘Compliance and Technology: A Special Report on Process Improvement and Automation in the Age of Serbanes-Oxley’, Boston: CFO Publishing Corp.
Chapman, C. (ed.) (2005): ‘Controlling for Strategy: Management Accounting and Performance Measurement’. Oxford: Oxford University Press Chenhall, R. (2003): ‘Management Control Systems Design Within its Organisational Context: Findings from Contingency-based research and Directions for the Future’, Accounting, Organizations and Society, volume 28, issue 2-3, pp. 127168 Clark, W. (1997): ‘The New Breed of Analytic Applications’, Management Accounting, volume 79, issue 6, pp. 57-59 Classe, A. (1998): ‘Support for the strategists’, Accountancy, volume 121, issue 1258, pp. 50-53 COBIT (2004). ‘IT Control Objectives for Sarbanes-Oxley’, Rolling Meadows (IL): IT Governance Institute COSO (1992) : ‘Internal Control - Integrated Framework’, Committee of Sponsoring Organizations (COSO) (http://www.coso.org/publications/executive_summary_integrated_framework.ht
Page 16
m) (accessed October 14th, 2005) COSO (2004) ‘Enterprise Risk Management – Integrated Framework’. Committee of Sponsoring Organizations (COSO), September 2004, available from www.coso.org (accessed October 13th, 2005) Cowton, C. and S. Dopson (2002): ‘Foucault's Prison? Management Control in an Automotive Distributor’, Management Accounting Research, volume 13, issue 2, pp. 191-214 Davenport, T. H. (1998): ‘Putting the enterprise into the enterprise system’, Harvard Business Review, volume 76, issue 4, pp. 121-131 Davenport, T. H., J. G. Harris and S. Cantrell (2004): ‘Enterprise systems and ongoing process change’, Business Process Management Journal, volume 10, issue 1, pp. 16-26 Dechow, N. and J. Mouritsen (2005): ‘Enterprise resource planning systems, management control and the quest for integration’, Accounting, Organizations and Society, volume 30, issue 7/8, pp. 691-733 Deise, M., C. Mowikow, P. King and A. Wright (2000): ‘Executive's Guide to EBusiness : From Tactics to Strategy’, New York: Wiley Dong, L., D. Neufeld and C. Higgins (2002): ‘The Iceberg on the Sea: What Do You See?’, Proceedings of the Eighth Americas Conference on Information Systems, pp. 857-864 Dragoon, A. (2003): ‘Business Intelligence Gets Smart(er); Companies are using business intelligence software for more than data mining. They’re using it to identify hot sellers, cut costs and discover new business.’, CIO, volume 16, issue 23 Elmes, M., D. Strong and O. Volkoff (2005): ‘Panoptic empowerment and reflective conformity in enterprise systems-enabled organizations’, Information and Organization, volume 15, issue 1, pp. 1-37 Emmanuel, C., D. Otley and K. Merchant (1995): ‘Accounting for Management Control’, London: Chapman and Hall Esteves, J. and J. Pastor (2001): ‘Enterprise resource planning systems research: An annotated bibliography’, Communications of the AIS, volume 7, issue 8, pp. 1-52 Fahy, M. J. (2000): ‘Strategic Enterprise Management: The Implications for Management Accounting and Control’, paper presented at the 23rd annual congress of the European Accounting Association, Munich, March 29-31, 2000 Flamholtz, F., T. K. Das and A. S. Tsui (1985): ‘Toward an Integrative Framework of Organizational Control’, Accounting Organizations and Society, volume 10, issue 1, pp. 35-50 Gelinas, U. J., S. G. Sutton and J. E. Hunton (2005): ‘Accounting Information Systems’, 6th edition, Ohio: South-Western, Thomson Gibson, R. (1998). 'Rethinking the Future: Rethinking Business Principles, Competition, Control and Complexity, Leadership, Markets and the World’. London: Nicholas Brealey Publishing Granlund, M. and J. Mouritsen (2003): ‘Introduction: problematizing the relationship between management control and information technology’. European Accounting Review, volume 12, issue 1, pp. 77-83 Granlund, M. and T. Malmi (2002): ’Moderate impact of ERPS on management accounting: a lag or permanent outcome?’, Management Accounting Research, volume 13, issue 3, pp. 299-321 Hartmann, F. and E. Vaassen (2003): ‘The Changing Role of Management Accounting and Control Systems: Accounting for Knowledge Across Control Domains’, in Bhimani, A. (Ed.): ‘Management Accounting in the Digital
Page 17
Economy’, Oxford: Oxford University Press Hyvönen, T. (2003): ‘Management Accounting and information systems: ERP vs. BoB’, European Accounting Review, volume 12, issue 1, pp. 155-173 Johnson, H. T. and R. S. Kaplan (1989). ‘Relevance Lost: The Rise and Fall of Management Accounting’, Boston: Harvard Business School Press Kaplan, R. S. and D. P. Norton (1996): ‘The Balanced Scorecard’, Boston, Massachusetts: Harvard Business School Press Klaus, H., M. Rosemann and G. G. Gable (2000): ‘What is ERP?’, Information Systems Frontiers, volume 2, issue 2, pp. 141-162 Kogut, B. (2003): ‘The Internet has Borders’, in Kogut, B. (ed.): ‘The Global Internet Economy’ Massachusetts: Massachusetts Institute of Technology Kræmmergaard, P. and C. Koch (2002): ‘Managing ERP after going-live‘, Proceedings of the 9th International Conference European Operations Management Association, Copenhagen Lowe, E. A. (1971): ‘On the Idea of a Management Control System: Integrating Accounting and Management Control’, The Journal of Management Studies, volume 8, issue 1, pp. 1-12 Markus, M. L., D. Petrie and S. Axline (2003): ‘Continuity versus discontinuity: Weighing the future for ERP packages’, in Shanks, G., P. Seddon and L. Willcocks (Eds.): ‘Second-wave enterprise resource planning systems implementing for effectiveness’, Cambridge: Cambridge University Press Merchant, K. A. and Van der Stede, W. A. (2003): ‘Management Control Systems: Performance Measurement, Evaluation and Incentives’, London: Pearson/Prentice Hall Møller, C., P. Kræmmergaard, and M. Rotbøl (2003): ‘Virksomhedssystemer i Danmark 2003 - en analyse af de 500 største danske virksomheders ERP systemer’, IFI working paper series no. 126 ISSN no. 1398-067X, Aarhus: Department of Information Science Otley, D. and A. Berry (1980): ‘Control, organization, and accounting’, Accounting, Organizations and Society, volume 5, issue 2, pp. 231-246 Pickford, J. (ed.) (2000): ‘Mastering Risk – The Concepts’, New York: Financial Times / Prentice Hall Rathe, A. W. (1960): 'Management control in business', in Malcolm, D.G. and A. J. Rowe (Eds.): ‘Management Control Systems’, New York: Wiley Rikhardsson, P. and P. Kræmmergaard (2005): ‘Identifying the effects of Enterprise System implementation and use: Examples from Denmark’, presented at the 2nd International Conference on Enterprise Systems and Accounting, Thessaloniki, July 11-12, 2005 Rom, A. and C. Rohde (2005): ‘Constructing a financial project management system in a medium-sized consulting company with the use of a combination of an ERP system and Microsoft Excel’, presented at the 2nd International Conference on Enterprise Systems and Accounting, Thessaloniki, July 11-12, 2005 Rom, A. and C. Rohde (forthcoming): ‘Enterprise Resource Planning (ERP) Systems, Strategic Enterprise Management (SEM) Systems and Management Accounting: a Danish Study’, forthcoming in Journal of Enterprise Information Management Rosemann, M. and zur Muehlen, M. (2005): ‘Integrating Risks in Business Process Models‘, presented at Australian Conference on Information Systems, Sydney, December Ross, J., M. R. Vitale and L. P. Willcocks (2003): ‘The continuing ERP revolution: Sustainable lessons, new modes of delivery’, in Shanks, G., P. Seddon and L. Willcocks (Eds.): ‘Second-wave enterprise resource planning systems -
Page 18
implementing for effectiveness’, Cambridge: Cambridge University Press SAP (2004), ‘SEM010: SEM Overview. Participant Handbook.’, Germany Scapens, R. and M. Jazayeri (2003): ‘ERP systems and Management Accounting Change: Opportunities or Impacts? A Research Note‘, European Accounting Review, volume 12, issue 1, pp. 201-233 Shanks, G., P. B. Seddon and L. P. Willcocks (Eds.) (2003): ‘Second-wave enterprise resource planning systems: Implementing for effectiveness’, Cambridge: Cambridge University Press Simons, R. (1995): ‘Levers of Control‘, Boston, Mass.: Harvard Business School Press Simons, R. (2000): ‘Performance measurement and control systems for implementing strategy: text and cases’, Upper Saddle River: Prentice Hall Simons, R. (2005): ’Levers of Organization Design’, Harvard: Harvard Business School Press Sjöblom, L. (2003): ‘Management Accounting in the New Economy: The rationale for Irrational Controls‘, in Bhimani, A. (Ed.): ‘Management Accounting in the Digital Economy’, Oxford: Oxford University Press Spathis, C. and S. Constantinides (2004): ‘Enterprise resource planning systems’ impact on accounting processes’, Business Process Management Journal, volume 10, issue 2, pp. 234-247 Sutton, S. (2005): ‘The Role of AIS research in guiding practice’, International Journal of Accounting Information Systems, volume 6, issue 1, pp. 1-4 Toffler, A. (1990): ‘The Third Wave’, London: Pan Books Weber, R. (2000). ‘Information Systems Control and Audit’, Upper Saddle River (NJ): Prentice Hall
